Thursday, May 15, 2008

The BBC News is running an article highlighting one of the most basic vulnerabilities in the majority of current VoIP providers - the lack of encryption. Indeed, this is a problem since SIP passes an md5 hash of the password as clear text and therefore anyone watching the traffic can perform an offline attack and quickly recover the credentials. The attack has been described in countless blogs, articles and papers by now and some tools are very efficient in demonstrating this issue.

What caught my eye is the mention of VoIP credentials being sold on the underground 17$ a piece. So I emailed Mr Gladwin who was quoted in the article. This is a summary of our email conversations:

There is no indication that stolen VoIP details were harvested because of the lack of encryption

If anyone comes across underground forums / sites / resources which have prices please let me know. Unfortunately Dave Gladwin was not able to provide me with a reference (until now)

There was no indication as to the size or volume of the VoIP credentials trading

Skype took the chance to remind us that this is not an issue for then (since they make use of a proprietary protocol which has encryption built-in).

I'm interested in learning which method is being used to steal credentials. Take your pick:

My feeling is that active password attacks will give you the best results when the target is simply "the Internet". But in the end, what matters is what's being currently abused and how we can prevent and mitigate.